Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bb67aac3eee2dd28d99522e55c66d05eb2de9af5ddaa14585630eb8fe0c5ed2.exe

  • Size

    695KB

  • MD5

    791333cde02a5fb562a6c0534752281f

  • SHA1

    eea8a42a9c8f38922962c28bd2dc755c6f4ddc9d

  • SHA256

    3bb67aac3eee2dd28d99522e55c66d05eb2de9af5ddaa14585630eb8fe0c5ed2

  • SHA512

    bc0b87407f5d64749bb37d1ed43c57bdab8aecbdd4fa425a6e432649b6f83d8beb8d27004a80838aa02495276e343616cbfe70d3836cca4c7d1aad56ce114826

  • SSDEEP

    12288:IMrzy906gTQYD0gneX8pfl88W1LJzhaZz2cv3eX+WvPSFzBgyJSKB0okH/qk:LyhpYDjeMfl8zkZfv3eX9yFB1Xk

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bb67aac3eee2dd28d99522e55c66d05eb2de9af5ddaa14585630eb8fe0c5ed2.exe
    "C:\Users\Admin\AppData\Local\Temp\3bb67aac3eee2dd28d99522e55c66d05eb2de9af5ddaa14585630eb8fe0c5ed2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un966006.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un966006.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4828.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4828.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9320.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9320.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si232411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si232411.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si232411.exe
    Filesize

    175KB

    MD5

    b2a3259c7dd4ff9048779c413e09b3d7

    SHA1

    9bb9638e83afc9da611e3e05f6e7401f0061084c

    SHA256

    ffa615d10a60cc3140d6ca434751ff967c92409798c728223bb1fed3d201d5e8

    SHA512

    66e00931a60caf9bdefa4d1e34e98f167020d68c96bc1bf01c1e9b321a461c02d389badb2d29102acaa3a0efe3c4c4b1781578c71b75e49e6537a1ea4a3f0baf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si232411.exe
    Filesize

    175KB

    MD5

    b2a3259c7dd4ff9048779c413e09b3d7

    SHA1

    9bb9638e83afc9da611e3e05f6e7401f0061084c

    SHA256

    ffa615d10a60cc3140d6ca434751ff967c92409798c728223bb1fed3d201d5e8

    SHA512

    66e00931a60caf9bdefa4d1e34e98f167020d68c96bc1bf01c1e9b321a461c02d389badb2d29102acaa3a0efe3c4c4b1781578c71b75e49e6537a1ea4a3f0baf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un966006.exe
    Filesize

    553KB

    MD5

    f103bc66547f77ec89c00337b7fc6800

    SHA1

    1bd6824b76a73827f30db68d41c966cc949e575c

    SHA256

    e930fd9af43c6407afdb4e04c7a2d4084cc97f2aa47ab22f8c8eda534cc54bdd

    SHA512

    bb7010f0a899b6e1a9a89c5c20cd25ceffb328b1e2096c92a29202fc4a4a712668d7ddccfb0be3e79950b6014a40bb10a2e3acb2682c665ef04438e3603e5e23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un966006.exe
    Filesize

    553KB

    MD5

    f103bc66547f77ec89c00337b7fc6800

    SHA1

    1bd6824b76a73827f30db68d41c966cc949e575c

    SHA256

    e930fd9af43c6407afdb4e04c7a2d4084cc97f2aa47ab22f8c8eda534cc54bdd

    SHA512

    bb7010f0a899b6e1a9a89c5c20cd25ceffb328b1e2096c92a29202fc4a4a712668d7ddccfb0be3e79950b6014a40bb10a2e3acb2682c665ef04438e3603e5e23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4828.exe
    Filesize

    308KB

    MD5

    5d4e78018be5a1ad61ba3179d758def0

    SHA1

    d60741a7b8b689343ee19c64c78083b9d2033b07

    SHA256

    d7cd4998f58fe972fbb95e4f0ed26994a4357bdeaf5f454fdd80839cc35da378

    SHA512

    fad63c1c4e0b4ef0741c1afb9e2d8a8f5953e75b4579f66ccf79193895af700eee82663f0bfece9e7f50c69cf0780dc25105d743a7136fc0097f829d1241ca0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4828.exe
    Filesize

    308KB

    MD5

    5d4e78018be5a1ad61ba3179d758def0

    SHA1

    d60741a7b8b689343ee19c64c78083b9d2033b07

    SHA256

    d7cd4998f58fe972fbb95e4f0ed26994a4357bdeaf5f454fdd80839cc35da378

    SHA512

    fad63c1c4e0b4ef0741c1afb9e2d8a8f5953e75b4579f66ccf79193895af700eee82663f0bfece9e7f50c69cf0780dc25105d743a7136fc0097f829d1241ca0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9320.exe
    Filesize

    366KB

    MD5

    cc782d3e956c281579436f794ee10e40

    SHA1

    ac6c511525954e1a2d5ff3497467c0af52ad7296

    SHA256

    e572e8ed24ac5b745f3c04f03e98f1cab562c58ecb3d854f284682ec517f359e

    SHA512

    7541d1417cee033a81cf3caaa685ad3a7b0f08e20f9d3af2f72bb5601997fb4e43614b35b67c6e71c1b0f2bb3a0498be2aa77e9a708af00dae4aee008491c55f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9320.exe
    Filesize

    366KB

    MD5

    cc782d3e956c281579436f794ee10e40

    SHA1

    ac6c511525954e1a2d5ff3497467c0af52ad7296

    SHA256

    e572e8ed24ac5b745f3c04f03e98f1cab562c58ecb3d854f284682ec517f359e

    SHA512

    7541d1417cee033a81cf3caaa685ad3a7b0f08e20f9d3af2f72bb5601997fb4e43614b35b67c6e71c1b0f2bb3a0498be2aa77e9a708af00dae4aee008491c55f

    Download Submit

  • memory/1132-1121-0x00000000000F0000-0x0000000000122000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1132-1122-0x0000000004A10000-0x0000000004A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1132-1123-0x0000000004A10000-0x0000000004A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-156-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-168-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-152-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-153-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-154-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-151-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-158-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-162-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-160-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-164-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-166-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-149-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-170-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-172-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-174-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-176-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-178-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-180-0x0000000002410000-0x0000000002422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1380-181-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1380-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-183-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-185-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1380-150-0x0000000004ED0000-0x0000000005474000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1380-148-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4784-191-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-227-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-196-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-198-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-199-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-195-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-201-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-203-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-205-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-207-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-209-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-211-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-213-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-215-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-217-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-219-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-221-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-223-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-225-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-194-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1100-0x0000000005460000-0x0000000005A78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4784-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4784-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4784-1103-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4784-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4784-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4784-1107-0x0000000006810000-0x00000000069D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4784-1109-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1110-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1111-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1112-0x00000000069F0000-0x0000000006F1C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4784-192-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4784-190-0x0000000002980000-0x00000000029BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4784-1113-0x00000000027F0000-0x0000000002800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4784-1114-0x00000000071B0000-0x0000000007226000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4784-1115-0x0000000007230000-0x0000000007280000-memory.dmp

    Filesize

    320KB

    Download